[Bug 312536] Re: Stop honoring digital signatures based on MD5 hashes
This was fixed in 3.12.3, which is available in all releases. ** Changed in: nss (Ubuntu) Status: Triaged = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/312536 Title: Stop honoring digital signatures based on MD5 hashes -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 312536] Re: Stop honoring digital signatures based on MD5 hashes
** Changed in: firefox Status: Confirmed = Fix Released -- Stop honoring digital signatures based on MD5 hashes https://bugs.launchpad.net/bugs/312536 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 312536] Re: Stop honoring digital signatures based on MD5 hashes
** Changed in: nss (Ubuntu) Importance: Critical = High ** Changed in: nss (Ubuntu) Assignee: Alexander Sack (asac) = (unassigned) -- Stop honoring digital signatures based on MD5 hashes https://bugs.launchpad.net/bugs/312536 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 312536] Re: Stop honoring digital signatures based on MD5 hashes
the consent among firefox/nss developers seems to be that disabling MD5 would break too much of the internet; however, nss will provide a mechanism to disable MD5 through preferences in future, but we won't use this bug to track the progress on that issue. Marking won't fix. ** Changed in: nss (Ubuntu Jaunty) Status: Triaged = Won't Fix ** Changed in: nss (Ubuntu Intrepid) Status: Triaged = Won't Fix ** Changed in: nss (Ubuntu Hardy) Status: Triaged = Won't Fix ** Changed in: nss (Ubuntu Gutsy) Status: Triaged = Won't Fix ** Changed in: firefox (Ubuntu Dapper) Status: Triaged = Won't Fix -- Stop honoring digital signatures based on MD5 hashes https://bugs.launchpad.net/bugs/312536 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 312536] Re: Stop honoring digital signatures based on MD5 hashes
As the consensus appears to be that we will track upstream on this, it's unrealistic to set any milestone deadline for the fix. If and when upstream moves, it will still be appropriate to address this, including in SRU. ** Changed in: nss (Ubuntu Jaunty) Target: jaunty-alpha-4 = None -- Stop honoring digital signatures based on MD5 hashes https://bugs.launchpad.net/bugs/312536 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 312536] Re: Stop honoring digital signatures based on MD5 hashes
I agree with Sean McNamara on this one. Implementing a fix for this other that the suggested Firefox equivalent would be a rash move that would disable far to many valid services based on a hand crafted attack that required considerable expertise and hardware. Until a move is made to the SHA family of hashes by the certifying authorities there is no practical way to resolve this issue. -- Stop honoring digital signatures based on MD5 hashes https://bugs.launchpad.net/bugs/312536 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 312536] Re: Stop honoring digital signatures based on MD5 hashes
A successful attack would mean that the attackers would have a rogue CA. They would then be able to generate a bogus certificate for any site without any additional resources. This issue should therefore be considered critical in my opinion. The benefit to an attacker would justify using considerable resources in generating the rogue CA cert. I do think that the end-user should be able to override the security weakness warning. -- Stop honoring digital signatures based on MD5 hashes https://bugs.launchpad.net/bugs/312536 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 312536] Re: Stop honoring digital signatures based on MD5 hashes
I do think that the end-user should be able to override the security weakness warning. - Miron Cuperman How do we mitigate that a large group of CA's still use MD5 instead of using the SHA certs. We cannot force a change on them and all we would do is remove potentially harmful services from users. MD5 is still a valid hashing function, just not a valid cryptographic function. We should be pushing as a community for CA's to move to SHA based hashes which are still cryptographically sound. -- Stop honoring digital signatures based on MD5 hashes https://bugs.launchpad.net/bugs/312536 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 312536] Re: Stop honoring digital signatures based on MD5 hashes
As long as the end-user can override the warning, they are still able to continue with existing workflows based on their judgment. Also, the warning would encourage CA's and web sites to move to SHA more quickly. -- Stop honoring digital signatures based on MD5 hashes https://bugs.launchpad.net/bugs/312536 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 312536] Re: Stop honoring digital signatures based on MD5 hashes
The essence of this bug is not one that we can fix in software. The problem is not an implementation detail; it is inherent in the algorithms used to comply with the X.509 Cert spec. The implementations thereof are not buggy with respect to this bug report; any implementation that correctly behaves according to the spec will exhibit the same behavior. Meanwhile, breaking compliance with the spec will cause any services which depend upon MD5-signed X.509 certificates to fail in some way. The real fix rests entirely on the shoulders of CAs who continue to use MD5 hashing as an encryption technique. If Ubuntu software implements automatic refusal of MD5-signed PKI certificates, many users' workflow will be disrupted. Additionally, regression testing is not based solely on a particular domain of computers or deployments; a _comprehensive_ regression test would require attempting to establish HTTPS with _every_ website out there. And you can't do that, because many websites are within LANs, VPNs, etc. In the example of Firefox, it might be acceptable to consider any MD5-signed X.509 certificates to be invalid, which then displays the Get me out of here! vs. Add an exception... buttons, just as if someone used themselves as the root CA, i.e. self-signing, which is never accepted as a valid certificate already. I would caution against implementing anything, or accepting upstream bug fixes to any services, which does not provide the user an alternative (be it a configuration file, command line switch, environment variable, or GUI) to accept the certificate even if it is invalid. Otherwise, this will disrupt existing, legitimate, production services based on a fairly far-fetched attack which must be hand-crafted for each individual victim. But as long as users have some documented way of bypassing a warning about this problem, that is fine. -- Stop honoring digital signatures based on MD5 hashes https://bugs.launchpad.net/bugs/312536 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 312536] Re: Stop honoring digital signatures based on MD5 hashes
This is an important bug for us to see fixed in Ubuntu 8.04, but it should not be tied to the Ubuntu 8.04.2 milestone which is due out in just 2½ weeks. More regression-testing than that is warranted for such a regression-prone fix. ** Changed in: nss (Ubuntu Hardy) Target: ubuntu-8.04.2 = None -- Stop honoring digital signatures based on MD5 hashes https://bugs.launchpad.net/bugs/312536 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 312536] Re: Stop honoring digital signatures based on MD5 hashes
NSS is shipped by firefox package in dapper. ** Changed in: firefox (Ubuntu Dapper) Importance: Undecided = Critical Assignee: (unassigned) = Alexander Sack (asac) Status: New = Triaged Target: None = dapper-updates ** Changed in: firefox (Ubuntu Gutsy) Status: New = Invalid ** Changed in: firefox (Ubuntu Hardy) Status: New = Invalid ** Changed in: firefox (Ubuntu Intrepid) Status: New = Invalid ** Changed in: firefox (Ubuntu Jaunty) Status: New = Invalid ** Changed in: nss (Ubuntu Dapper) Status: Triaged = Invalid Target: dapper-updates = None ** Changed in: nss (Ubuntu Hardy) Assignee: (unassigned) = Alexander Sack (asac) ** Changed in: nss (Ubuntu Intrepid) Assignee: (unassigned) = Alexander Sack (asac) ** Changed in: nss (Ubuntu Jaunty) Assignee: (unassigned) = Alexander Sack (asac) -- Stop honoring digital signatures based on MD5 hashes https://bugs.launchpad.net/bugs/312536 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 312536] Re: Stop honoring digital signatures based on MD5 hashes
waiting for upstream solution on this. ** Changed in: firefox-3.0 (Ubuntu) Importance: Undecided = Critical Status: New = Triaged Target: None = jaunty-alpha-4 ** Changed in: firefox-3.0 (Ubuntu Dapper) Importance: Undecided = Critical Status: New = Triaged Target: None = dapper-updates ** Changed in: firefox-3.0 (Ubuntu Gutsy) Importance: Undecided = Critical Assignee: (unassigned) = Alexander Sack (asac) Status: New = Triaged Target: None = gutsy-updates ** Changed in: nss (Ubuntu Dapper) Sourcepackagename: firefox-3.0 = nss ** Changed in: nss (Ubuntu Hardy) Importance: Undecided = Critical Status: New = Triaged Target: None = ubuntu-8.04.2 ** Changed in: nss (Ubuntu Intrepid) Importance: Undecided = Critical Status: New = Triaged Target: None = intrepid-updates -- Stop honoring digital signatures based on MD5 hashes https://bugs.launchpad.net/bugs/312536 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 312536] Re: Stop honoring digital signatures based on MD5 hashes
** Changed in: firefox Status: Unknown = Confirmed -- Stop honoring digital signatures based on MD5 hashes https://bugs.launchpad.net/bugs/312536 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs